grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

WIP: narrow golang match comparison for pseudo versions

Open spiffcs opened this issue 10 months ago • 1 comments

Summary

This PR attempts to narrow the golang_constraint Satisfied logic as a follow up to #1797

#1797 allows grype to proceed with matches when it encounters a package with a pseudo version. This PR limits those pseudo versions to only be compared against constraints that also contain pseudo versions.

This eliminates a case of FP where an incomplete pseudo version (which doesn't have the correct main module information) is compared against a valid semver constraint.

Example of this FP:

syft -o json ollama/ollama:0.1.32 | go run cmd/grype/main.go

...

github.com/ollama/ollama    v0.0.0-20240414223325-7027f264fbb3  0.1.29             go-module  GHSA-5jx5-hqx5-2vrj  High

In the above case v0.0.0-20240414223325-7027f264fbb3 is not < 0.1.29. Syft is unable to determine the main module version for ollama. By comparing the incomplete pseudo version to the semver constraint grype produces a FP.

This PR makes it so that packages with versions like v0.0.0-20240414223325-7027f264fbb3 should only be compared to constraints that also have a similar format.

spiffcs avatar Apr 17 '24 16:04 spiffcs

Quality tests are now failing - let me go check the labels

spiffcs avatar Apr 17 '24 16:04 spiffcs